Merge branch 'main' into castrojo-patch-3

build/ublue-os-just/etc-distrobox/apps.ini

@@ -18,3 +18,4 @@ image=ghcr.io/ublue-os/obs-studio-portable
 nvidia=true
 exported_apps=obs
 entry=false
+pull=true

build/ublue-os-just/etc-distrobox/distrobox.ini

@@ -6,39 +6,54 @@
 [arch]
 image=ghcr.io/ublue-os/arch-distrobox:latest
 nvidia=true
+pull=true
+
+[arch-amdgpupro]
+image=ghcr.io/ublue-os/arch-distrobox-amdgpupro:latest
+nvidia=false
+pull=true
 
 [bluefin-cli]
 image=ghcr.io/ublue-os/bluefin-cli
 nvidia=true
+pull=true
 
 [debian]
 image=quay.io/toolbx-images/debian-toolbox:unstable
 nvidia=true
+pull=true
 
 [fedora]
 image=ghcr.io/ublue-os/fedora-distrobox:latest
 nvidia=true
+pull=true
 
 [opensuse]
 image=quay.io/toolbx-images/opensuse-toolbox:tumbleweed
 nvidia=true
+pull=true
 
 [ubuntu]
 image=ghcr.io/ublue-os/ubuntu-toolbox:latest
 nvidia=true
+pull=true
 
 [alma]
 image=quay.io/toolbx-images/almalinux-toolbox:latest
 nvidia=true
+pull=true
 
 [centos]
 image=quay.io/toolbx-images/centos-toolbox:latest
 nvidia=true
+pull=true
 
 [wolfi]
 image=ghcr.io/ublue-os/wolfi-toolbox
 nvidia=true
+pull=true
 
 [wolfi-dx]
 image=ghcr.io/ublue-os/wolfi-dx-toolbox
 nvidia=true
+pull=true

build/ublue-os-luks/90-ublue-luks.conf

@@ -0,0 +1 @@
+add_dracutmodules+=" fido2 tpm2-tss pkcs11 pcsc "

build/ublue-os-luks/build.sh

@@ -7,6 +7,7 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 mkdir -p /tmp/ublue-os/rpmbuild/SOURCES
 
 cp ${SCRIPT_DIR}/luks* /tmp/ublue-os/rpmbuild/SOURCES
+cp ${SCRIPT_DIR}/90-ublue-luks.conf /tmp/ublue-os/rpmbuild/SOURCES
 
 rpmbuild -ba \
     --define '_topdir /tmp/ublue-os/rpmbuild' \

build/ublue-os-luks/luks-disable-tpm2-autounlock

@@ -1,45 +1,81 @@
 #!/bin/bash
 ## disable auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
-set -u
+set -euo pipefail
 
 [ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}
 
-read -p "This will modify your system and disable TPM2 auto-unlock of your LUKS partition! Are you sure you've read the script and are good with this? " -n 1 -r
+echo "This script utilizes systemd-cryptenroll for removing tpm2 auto-unlock."
+echo "You can review systemd-cryptenroll's manpage for more information."
+read -p "This will modify your system and disable TPM2 auto-unlock of your LUKS partition! Are you sure you are good with this? " -n 1 -r
 echo
 if [[ ! $REPLY =~ ^[Yy]$ ]]; then
-  [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
+  [[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
 fi
 
-DISK_UUID=$(sudo awk '{ print $2 }' /etc/crypttab | cut -d= -f2)
+## Inspect Kernel Cmdline for rd.luks.uuid
+RD_LUKS_UUID="$(xargs -n1 -a /proc/cmdline | grep rd.luks.uuid | cut -d = -f 2)"
+
+# Check to make sure cmdline rd.luks.uuid exists
+if [[ -z ${RD_LUKS_UUID:-} ]]; then
+  printf "LUKS device not defined on Kernel Commandline.\n"
+  printf "This is not supported by this script.\n"
+  printf "Exiting...\n"
+  exit 1
+fi
+
+# Check to make sure that the specified cmdline uuid exists.
+if ! grep -q "${RD_LUKS_UUID}" <<< "$(lsblk)" ; then
+  printf "LUKS device not listed in block devices.\n"
+  printf "Exiting...\n"
+  exit 1
+fi
+
+# Cut off the luks-
+LUKS_PREFIX="luks-"
+if grep -q ^${LUKS_PREFIX} <<< "${RD_LUKS_UUID}"; then
+  DISK_UUID=${RD_LUKS_UUID#"$LUKS_PREFIX"}
+else
+  echo "LUKS UUID format mismatch."
+  echo "Exiting..."
+  exit 1
+fi
+
+# Specify Crypt Disk by-uuid
 CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
 
+# Check to make sure crypt disk exists
+if [[ ! -L "$CRYPT_DISK" ]]; then
+  printf "LUKS device not listed in block devices.\n"
+  printf "Exiting...\n"
+  exit 1
+fi
+
 ## Restore the crypttab
 cp -a /etc/crypttab /etc/crypttab.working-before-disable-tpm2
 if [ -f /etc/crypttab.known-good ]; then
   echo "Restoring /etc/crypttab.known-good to original /etc/crypttab"
   mv /etc/crypttab.known-good /etc/crypttab
-else
-  echo "No /etc/crypttab.known-good found to restore"
 fi
 
 ## Wipe luks slot
-cryptsetup luksDump $CRYPT_DISK | grep systemd-tpm2 > /dev/null
-if [ 0 -eq $? ]; then
+if cryptsetup luksDump "$CRYPT_DISK" | grep systemd-tpm2 > /dev/null; then
   echo "Wiping systemd-tpm2 from LUKS on $CRYPT_DISK"
-  systemd-cryptenroll --wipe-slot=tpm2 $CRYPT_DISK
+  systemd-cryptenroll --wipe-slot=tpm2 "$CRYPT_DISK"
 else
   echo "No systemd-tpm2 found in LUKS to wipe"
 fi
 
 ## Disable initramfs
-rpm-ostree initramfs | grep tpm2 > /dev/null
-if [ 0 -eq $? ]; then
+if rpm-ostree initramfs | grep tpm2 > /dev/null; then
   echo "WARNING: if you configured initramfs for anything other than TPM2, this wipes that too..."
   echo "here's a printout:"
   rpm-ostree initramfs
   echo
   echo "Disabling rpm-ostree initramfs..."
   rpm-ostree initramfs --disable
 else
-  echo "TPM2 was not found in 'rpm-ostree initramfs'..."
+  echo "TPM2 is not configured in 'rpm-ostree initramfs'..."
 fi
+
+echo "TPM2 auto-unlock disabled..."
+echo "To reenroll TPM2 auto unlock please run ujust setup-luks-tpm-unlock..."

build/ublue-os-luks/luks-enable-tpm2-autounlock

@@ -1,57 +1,76 @@
 #!/bin/bash
 ## setup auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
-set -u
+set -eou pipefail
 
 [ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}
 
-read -p "This will modify your system and enable TPM2 auto-unlock of your LUKS partition! Are you sure you've read the script and are good with this? " -n 1 -r
+echo "This script uses systemd-cryptenroll to enable TPM2 auto-unlock."
+echo "You can review systemd-cryptenroll's manpage for more information."
+echo "This script will modify your system."
+echo "It will enable TPM2 auto-unlock of your LUKS partition for your root device!"
+echo "It will bind to PCR 7 only which is tied to your secureboot state."
+read -p "Are you sure are good with this and want to enable TPM2 auto-unlock? " -n 1 -r
 echo
 if [[ ! $REPLY =~ ^[Yy]$ ]]; then
-  [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
+  [[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
 fi
 
-## Inspect crypttab to find disk info, should look like this
-#sudo cat /etc/crypttab
-#luks-912462a2-39ce-abcd-1234-89c6c0304cb4 UUID=912462a2-39ce-abcd-1234-89c6c0304cb4 none discard
-DISK_UUID=$(sudo awk '{ print $2 }' /etc/crypttab | cut -d= -f2)
-CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
+## Inspect Kernel Cmdline for rd.luks.uuid
+RD_LUKS_UUID="$(xargs -n1 -a /proc/cmdline | grep rd.luks.uuid | cut -d = -f 2)"
 
-## Backup the crypttab
-if [ -f /etc/crypttab.known-good ]; then
-  echo "Our backup already exists at /etc/crypttab.known-good\nExiting..."
-  [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+# Check to make sure cmdline rd.luks.uuid exists
+if [[ -z ${RD_LUKS_UUID:-} ]]; then
+  printf "LUKS device not defined on Kernel Commandline.\n"
+  printf "This is not supported by this script.\n"
+  printf "Exiting...\n"
+  exit 1
 fi
-cp -a /etc/crypttab /etc/crypttab.known-good
 
-## modify the crypttab
-grep tpm2-device /etc/crypttab > /dev/null
-if [ 0 -eq $? ]; then
-  echo "TPM2 already present in /etc/crypttab. Exiting..."
-  [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+# Check to make sure that the specified cmdline uuid exists.
+if ! grep -q "${RD_LUKS_UUID}" <<< "$(lsblk)" ; then
+  printf "LUKS device not listed in block devices.\n"
+  printf "Exiting...\n"
+  exit 1
 fi
-sed -i "s/discard/discard,tpm2-device=auto/" /etc/crypttab
 
-cryptsetup luksDump $CRYPT_DISK | grep systemd-tpm2 > /dev/null
-if [ 0 -eq $? ]; then
-  KEYSLOT=$(cryptsetup luksDump $CRYPT_DISK|grep -A23 systemd-tpm2|grep Keyslot|awk '{print $2}')
-  echo "TPM2 already present in LUKS Keyslot $KEYSLOT of $CRYPT_DISK. Exiting..."
-  [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+# Cut off the luks-
+LUKS_PREFIX="luks-"
+if grep -q ^${LUKS_PREFIX} <<< "${RD_LUKS_UUID}"; then
+  DISK_UUID=${RD_LUKS_UUID#"$LUKS_PREFIX"}
+else
+  echo "LUKS UUID format mismatch."
+  echo "Exiting..."
+  exit 1
+fi
+
+# Specify Crypt Disk by-uuid
+CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
+
+# Check to make sure crypt disk exists
+if [[ ! -L "$CRYPT_DISK" ]]; then
+  printf "LUKS device not listed in block devices.\n"
+  printf "Exiting...\n"
+  exit 1
+fi
+
+if cryptsetup luksDump "$CRYPT_DISK" | grep systemd-tpm2 > /dev/null; then
+  KEYSLOT=$(cryptsetup luksDump "$CRYPT_DISK"|grep -A29 systemd-tpm2|grep Keyslot|awk '{print $2}')
+  echo "TPM2 already present in LUKS Keyslot $KEYSLOT of $CRYPT_DISK."
+  echo "Remove the existing TPM2 enrollment with ujust remove-luks-tpm2-autounlock"
+  echo "Exiting..."
+  [[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
 fi
 
 ## Run crypt enroll
 echo "Enrolling TPM2 unlock requires your existing LUKS2 unlock password"
-echo
-systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 $CRYPT_DISK
+systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 "$CRYPT_DISK"
 
 
-lsinitrd 2>&1 | grep -q tpm2-tss > /dev/null
-if [ 1 -eq $? ]; then
+if lsinitrd 2>&1 | grep -q tpm2-tss > /dev/null; then
   ## add tpm2-tss to initramfs
-  rpm-ostree initramfs | grep tpm2 > /dev/null
-  if [ 0 -eq $? ]; then
+  if rpm-ostree initramfs | grep tpm2 > /dev/null; then
     echo "TPM2 already present in rpm-ostree initramfs config."
     rpm-ostree initramfs
-    echo
     echo "Re-running initramfs to pickup changes above."
   fi
   rpm-ostree initramfs --enable --arg=--force-add --arg=tpm2-tss

build/ublue-os-luks/ublue-os-luks.spec

@@ -1,7 +1,7 @@
 Name:           ublue-os-luks
 Packager:       ublue-os
 Vendor:         ublue-os
-Version:        0.1
+Version:        0.3
 Release:        1%{?dist}
 Summary:        ublue-os scripts for simplified LUKS usage
 License:        MIT
@@ -11,9 +11,10 @@ BuildArch:      noarch
 
 Source0:        luks-disable-tpm2-autounlock
 Source1:        luks-enable-tpm2-autounlock
+Source2:        90-ublue-luks.conf
 
 %description
-Adds scripts to simplify LUKS autounlock with TPM
+Adds scripts and dracut config to simplify LUKS autounlock
 
 %prep
 %setup -q -c -T
@@ -22,12 +23,21 @@ Adds scripts to simplify LUKS autounlock with TPM
 
 install -Dm755 %{SOURCE0}  %{buildroot}%{_libexecdir}/luks-disable-tpm2-autounlock
 install -Dm755 %{SOURCE1}  %{buildroot}%{_libexecdir}/luks-enable-tpm2-autounlock
+install -Dm644 %{SOURCE2}  %{buildroot}/%{_exec_prefix}/lib/dracut/dracut.conf.d/90-ublue-luks.conf
 
 %files
 %attr(0755,root,root) %{_libexecdir}/luks-disable-tpm2-autounlock
 %attr(0755,root,root) %{_libexecdir}/luks-enable-tpm2-autounlock
+%attr(0644,root,root) %{_exec_prefix}/lib/dracut/dracut.conf.d/90-ublue-luks.conf
 
 %changelog
-* Mon Apr 30 2024 Benjamin Sherman <[email protected]> - 0.1
+* Thu Jul 04 2024 m2Giles <[email protected]> - 0.3
+- Rewrite enable script to fail out if disk is not found
+- LUKs disk is determined from kernel commandline instead of /etc/crypttab
+
+* Sat Jun 29 2024 Benjamin Sherman <[email protected]> - 0.2
+- Add tpm, fido2, pkcs11 to dracut config enabling initramfs LUKS unlock options
+
+* Tue Apr 30 2024 Benjamin Sherman <[email protected]> - 0.1
 - Add tpm2 autounlock enable/disable scripts
 - Original source: https://github.com/bsherman/ublue-custom/

cosign.pub

@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA
-cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w==
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHLRpBfPRYiMl9wb7s6fx47PzzNWu
+3zyJgXhWEvxoOgwv9CpwjbvUwR9qHxNMWkJhuGE6cjDA2hpy1I6NbA+24Q==
 -----END PUBLIC KEY-----

files/usr/etc/containers/policy.json

@@ -23,7 +23,7 @@
             "quay.io/toolbx-images": [
                 {
                     "type": "sigstoreSigned",
-                    "keyPath": "/usr/etc/pki/containers/quay.io-toolbx-images.pub",
+                    "keyPath": "/etc/pki/containers/quay.io-toolbx-images.pub",
                     "signedIdentity": {
                         "type": "matchRepository"
                     }
@@ -32,7 +32,7 @@
             "ghcr.io/ublue-os": [
                 {
                     "type": "sigstoreSigned",
-                    "keyPath": "/usr/etc/pki/containers/ublue-os.pub",
+                    "keyPath": "/etc/pki/containers/ublue-os.pub",
                     "signedIdentity": {
                         "type": "matchRepository"
                     }

files/usr/etc/pki/containers/ublue-os.pub

@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA
-cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w==
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHLRpBfPRYiMl9wb7s6fx47PzzNWu
+3zyJgXhWEvxoOgwv9CpwjbvUwR9qHxNMWkJhuGE6cjDA2hpy1I6NbA+24Q==
 -----END PUBLIC KEY-----

scripts/fix-key-and-update.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/bash
+#
+# This is a tool to provide easy change to the new Universal Blue image signing key, updated July 2, 2024.
+#
+# Note: this is required for upgrades to images published after July 1, 2024, and will prevent downgrading
+# to images published before July 2, 2024.
+#
+set -eu
+
+# Require root privileges
+if [ "$EUID" -ne 0 ]; then
+  echo "Please run as root"
+  exit 1
+fi
+
+# Fetch the new public key from ublue-os's github repo, updating the local copy.
+echo "Fetching the new public key from ublue-os's github repo..."
+curl https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub > /etc/pki/containers/ublue-os.pub
+
+# Ensure the path to the public key matches the local copy location.
+echo "Updating the path to the public key in the container policy..."
+sed -i.bak "s#/usr/etc/pki/containers/ublue-os.pub#/etc/pki/containers/ublue-os.pub#" /etc/containers/policy.json
+
+# Update system, respecting new public signing key.
+echo "Updating the system..."
+rpm-ostree update